[OpenAFS] Openafs Client with pam krb5 and ldap

Douglas E. Engert deengert@anl.gov
Fri, 01 Oct 2010 11:07:03 -0500 

On 10/1/2010 10:46 AM, Claudio Prono wrote:
> Hello all,
>
> I am searching someone experienced with an openafs-client with pam,
> kerberos and ldap.

What OS?

>
> I am trying to use a single signon to a linux client with afs (shell
> user, no local user). I have setted up pam with krb5 and afs, with this
> configs:
>
> /etc/pam.d/common-auth
>
> auth    required        pam_env.so
> auth    optional        pam_gnome_keyring.so
> auth    sufficient      pam_unix2.so
> auth    sufficient      pam_krb5.so     use_first_pass
> auth    required        pam_deny.so
>
> /etc/pam.d/common-session
>
> session required        pam_limits.so
> session required        pam_unix2.so
> session optional        pam_krb5.so
> session optional        pam_umask.so
> session optional        pam_gnome_keyring.so    auto_start only_if=gdm,lxdm
>
> /etc/pam.d/common-password
>
> password        requisite       pam_pwcheck.so  nullok cracklib
> password        optional        pam_gnome_keyring.so    use_authtok
> password        [default=ignore success=1]      pam_succeed_if.so
> uid>  999 quiet
> password        sufficient      pam_unix2.so    use_authtok nullok
> password        sufficient      pam_krb5.so
> password        required        pam_deny.so
>
> /etc/pam.d/common-account
>
> account requisite       pam_unix2.so
> account required        pam_krb5.so     use_first_pass
> ignore_unknown_principals
> account sufficient      pam_localuser.so
> account required        pam_ldap.so     use_first_pass

Are you sure you need the pam_ldap.so here? Its generally used
only for authentication, and you are using Kerberos.
If you have nss_ldap setup via /etc/nsswitch.conf you should
not need pam_ldap.so.

Which pam_krb5 are you using? Does it do AFS?
If not you will also need pam_afs_sesson.so to get tokens.

>
> If i do an id [user] on the remote machine, it works (is not a local user)
>
> id claudio
> uid=1003(claudio) gid=100(users)
> groups=100(users),1000(domadm),1001(Domain Admins)
>
> But, when i try to login with a ldap/kerberos user, into the machine
> logs i get this:
>
> Oct  1 16:48:03 linux-7w13 sshd[4192]: pam_krb5[4192]: authentication
> succeeds for 'claudio' (claudio@MEDIASERVICE-TEST.PRI)
> Oct  1 16:48:03 linux-7w13 sshd[4099]: error: PAM: Authentication
> failure for claudio from 192.168.87.131
>
> I don't understand...why first succeeds, and then fail?
>
> What is wrong?
>
> Any hint is welcome..
>
> Cheers,
>
> Claudio.
>
>
>
>
>
>
>
>
>
>
>
>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444